diff options
author | Karl Hiramoto <karl@hiramoto.org> | 2014-03-05 11:25:24 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-05 15:24:06 +0000 |
commit | ea623966b9c48a640cac5c5a5415decca2329249 (patch) | |
tree | 04b6b040cff64bd382694b002b3811cc879bad7b /meta/recipes-support | |
parent | 61a507c545aead7e49da1e8ad54dec07a648fdb5 (diff) | |
download | openembedded-core-ea623966b9c48a640cac5c5a5415decca2329249.tar.gz openembedded-core-ea623966b9c48a640cac5c5a5415decca2329249.tar.bz2 openembedded-core-ea623966b9c48a640cac5c5a5415decca2329249.zip |
gnutls: Fixed bug that prevented the rejection of v1 intermediate CA certificates.
This patch is for the OE-Core master branch - it comes from upstream:
>From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 12 Feb 2014 16:41:33 +0100
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch | 33 | ||||
-rw-r--r-- | meta/recipes-support/gnutls/gnutls_2.12.23.bb | 3 |
2 files changed, 35 insertions, 1 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch new file mode 100644 index 0000000000..6567257a83 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2014-1959-rejection-of-v1-intermediate-cert.patch @@ -0,0 +1,33 @@ +From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Wed, 12 Feb 2014 16:41:33 +0100 +Subject: [PATCH 1/5] Fixed bug that prevented the rejection of v1 intermediate + CA certificates. + +Upstream-Status: Backport + +Signed-off-by: Karl Hiramoto <karl@hiramoto.org> + +--- + lib/x509/verify.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/x509/verify.c b/lib/x509/verify.c +index 2efcebf..c9a6b0d 100644 +--- a/lib/x509/verify.c ++++ b/lib/x509/verify.c +@@ -645,7 +645,10 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + * certificates can exist in a supplied chain. + */ + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) +- flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ { ++ flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ++ flags |= GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT; ++ } + if ((ret = + _gnutls_verify_certificate2 (certificate_list[i - 1], + &certificate_list[i], 1, flags, +-- +1.8.3.2 + diff --git a/meta/recipes-support/gnutls/gnutls_2.12.23.bb b/meta/recipes-support/gnutls/gnutls_2.12.23.bb index e26b154601..04605dd7b4 100644 --- a/meta/recipes-support/gnutls/gnutls_2.12.23.bb +++ b/meta/recipes-support/gnutls/gnutls_2.12.23.bb @@ -6,7 +6,8 @@ SRC_URI += "file://gnutls-openssl.patch \ file://correct_rpl_gettimeofday_signature.patch \ file://configure-fix.patch \ file://avoid_AM_PROG_MKDIR_P_warning_error_with_automake_1.12.patch \ - file://CVE-2014-0092-corrected-return-codes.patch \ + file://CVE-2014-1959-rejection-of-v1-intermediate-cert.patch \ + file://CVE-2014-0092-corrected-return-codes.patch \ ${@['', 'file://fix-gettext-version.patch'][bb.data.inherits_class('native', d) or (not ((d.getVar("INCOMPATIBLE_LICENSE", True) or "").find("GPLv3") != -1))]} \ " |